On Tue, Jan 23, 2007 at 04:31:56PM +0100, Julien Oix wrote:
hi everyone,
I made a previous post, but noone answered, so I try again :)
I'm trying to deploy a meta directory using the OpenLdap meta backend.
I'm using the slapd Etch Debian package, version 2.3.27-1
when my target server includes the next ACL, eveything is fine, I can retrieve any data by the meta directory using ldapsearch, it works fine
##
access to attrs=userPassword by dn="cn=admin,dc=toto,dc=fr" write by anonymous auth by self write by * none
and
access to * by dn="cn=admin,dc=toto,dc=fr" write by * read
##
but I want only authentified connections (no anonymous bind, if i'm right) to have read access, so I change the ACL like that
##
access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=toto,dc=fr" write by anonymous auth by self write by * none
and
access to * by dn="cn=admin,dc=toto,dc=fr" write by self read by anonymous auth by * none
Why not change this to
access to * by dn="cn=admin,dc=toto,dc=fr" write by users read by * none
the above line say's only allow self to access *, so if the object is the dn for the user it is allowed to read, but it is not allow to read any thing else
##
So, for this target, i'm adding the acl-authcDN and acl-passwd directives to the meta directory, with the target's rootdn and rootpw values, in order to enable ACL checking and matching (in that case, the write privilege for dn="cn=admin,dc=toto,dc=fr")
giving this in the meta backend conf
## database meta
suffix "dc=meta-ufr-info-p7,dc=jussieu,dc=fr"
uri "ldap://localhost:389/dc=meta-ufr-info-p7,dc=jussieu,dc=fr" suffixmassage "dc=meta-ufr-info-p7,dc=jussieu,dc=fr" "dc=toto,dc=fr"
acl-authcDN "cn=admin,dc=toto,dc=fr" acl-passwd "xxxxx" ##
But at this moment, I can't retrieve any data anymore, as I perform an ldapsearch by the meta directory ....
Is there anything wrong in my conf ?
the slapd-meta man page says about acl-authcDN directives : "it is supposed to have read access on the target server to attributes used on the proxy for acl checking."
what does that mean exactly ? :)
haven't looked at meta data
Thanks.
Julien Oix UFR d'Informatique - Université Paris Diderot
Bureau 5C01 (5ème étage) 175 rue du Chevaleret 75013 PARIS
Tel : +33 (0) 144 278 504 Mobile : +33 (0) 664 392 207